Recherche avancée

Sur d’autres sites (6648)

• Why Matomo is the top Google Analytics alternative

  17 juin, par Joe

  You probably made the switch to Google Analytics 4 (GA4) when Google stopped collecting Universal Analytics (UA) data in July 2023. Up to that point, UA had long been the default analytics platform, despite its many limitations. 

  This was mostly because everyone loved its free nature and simple setup. A Google account was all you needed — even a free legacy G-Suite account worked perfectly. Looking at the analytics for just about any website was easy.

  That all changed with GA4, which addressed many of UA’s shortcomings by introducing a completely new way to model website data. Unfortunately, this also meant you couldn’t transfer historical data from UA into GA4, leading to more criticism. 

  Then there’s the added cost. GA4 is still free, but its limited functionality encourages you to upgrade to the enterprise version, Google Analytics 360 (GA360). Sure, you get lots of great functionality, less data sampling, and longer data retention periods, but it comes at a hefty price — $50,000 per year, to be exact.

  There are other options, though, and Matomo Analytics is one of the best. It’s an open-source, privacy-centric platform that offers advanced features of GA360 and more. 

  In this article, we’ll compare GA4, GA360, and Matomo and give you what you need to make an informed decision.

  Google Analytics 4 in a nutshell

  Google Analytics 4 is a great tool to use to start learning about web analytics. But soon enough, you’ll likely find that GA4 doesn’t quite cover all of your needs. 

  For example, it can’t provide a detailed view of user experiences, and Google doesn’t offer dedicated support or onboarding. There are other shortcomings, too.

  Data sampling

  Google only processes a selected sample of website activity rather than every individual data point. Rather than looking at the whole picture, it sets a threshold and selects a [hopefully] representative sample for analysis. 

  This inevitably creates gaps in data. Google attempts to fill them in using AI and machine learning, inferring the rest from data patterns. Since the results rely on assumptions and estimates, they aren’t always precise.

  In practical terms, this means that the accuracy of GA4 analysis will likely decline as website traffic increases.

  

  (Image source)

  Data collection limits

  GA4’s 25 million monthly events limit seems like a lot, but they add up quickly. 

  All user interactions are recorded as events, including :

  • Session start : User visits the site.
  • Page view : User loads a page (tracked automatically).
  • First visit : User accesses the site for the first time.
  • User engagement : User stays on a page for a set time period.
  • Scroll : User scrolls past 90% of the page (enhanced measurement).
  • Click : User clicks on any element (links, buttons, etc.).
  • Video start/complete : User starts or completes a video (enhanced measurement).
  • File download : User downloads a file (enhanced measurement).

  For context, consider a website averaging 50 events per session per user. If every user logs on every third day, on average, you’ll need 10,000 individual visitors a month to reach that 25 million. But that’s not the problem. 

  The problem is that collection limits in GA4 affect your ability to capture, secure, and analyse customer data effectively.

  Customisation

  GA4 users also face configuration limits that restrict their customisation options. For example : 

  • Audience limits : Since only 100 audiences are allowed, it’s necessary to combine or optimise segments rather than track too many small groups. 
  • Retention limits : Data retention is limited to only 14 months, so external storage solutions may be necessary in situations where historical data needs to be preserved.
  • Conversion events : GA4 will only track up to 30 conversion events, so it’s best to focus on high-value interactions (e.g., purchases and lead form submissions). 
  • Event-scoped dimensions : Since e-commerce operations are limited to 50 event-scoped dimensions, they need to carefully consider custom dimensions and key metrics. This makes it important to be selective about which product details to track (color, size, discount code, etc.).

  Data privacy

  GA4 isn’t GDPR-compliant out of the box. In fact, Google Analytics 4 is banned in seven EU countries because they believe the way it collects and transfers data violates GDPR.

  Data privacy regulations may or may not be a big concern, depending on where your customers are. However, if some are in the UK or any of the 30 countries that make up the European Economic Area (EEA), you must comply with the General Data Protection Regulation (GDPR). 

  It tells your customers that you don’t respect their data if you don’t. It can also get very expensive.

  Limited attribution models

  Attribution models track how different marketing touchpoints lead to a conversion (such as a purchase, sign-up, or lead generation). They help businesses understand which marketing channels and strategies are most effective in driving results.

  GA4 supports only two of the six standard attribution models previously supported in Universal Analytics. Organisations wanting data-driven or last-click attribution models will find them in Google Analytics. But they’ll need to look elsewhere if they’re going to use any of these models :

  • First click attribution
  • Linear attribution
  • Time decay attribution
  • Position-based attribution (u-shaped)

  GA360 isn’t a solution either

  Fundamentally, GA360 is the same product as GA4, without the above limits and restrictions. For companies that pay $50,000 (or more) each year, the only changes involve how much data is collected, how long it stays and data sampling thresholds.

  Above all, the GDPR-compliance issue remains. That can be a real problem for organisations with operations that collect personal data in the EEA or the UK.

  And the problem could soon be much bigger than just those 31 countries. Many countries currently implementing data privacy laws are modelling their efforts on GDPR, which may rule out both GA4 and GA360.

  

  What makes Matomo the top alternative ?

  No data limits

  One way to overcome all these challenges is to switch to Matomo Analytics. 

  There’s no data sampling and no data collection limits whatsoever with on-premise implementation. Matomo also supports all six attribution models, is open source and fully customisable and complies with GDPR out of the box. 

  Imagine trying to change your business strategy or marketing campaigns if you’re not confident that your data is reliable and accurate.

  It’s no secret that data sampling can negatively affect the accuracy of the data, and inaccurate data can lead to poor decision-making.
  

  With Matomo, there are no limits. We don’t restrict the size of containers within the Tag Manager nor the number of containers or tags within each container. You have more control over your customers’ data. 

  And you get to make your decisions based on all that data. That’s important because data quality is critical for high-impact decisions. 

  Open source

  Open-source software allows anyone to inspect, audit, and improve the source code for security and efficiency. That means no hidden data collection, faster bug fixes, and no vendor lock-in. As a bonus, these things make complying with data privacy laws and regulations easier.

  Matomo can also be modified in any way, which provides unlimited customisation possibilities. There’s also a very active developer community around Matomo, so you don’t have to make changes yourself — you can hire someone who has the technical knowledge and expertise. They can : 

  • Modify tracking scripts for advanced analytics
  • Create custom attribution models, tracking methods and dashboards
  • Integrate Matomo with any system (CRM, eCommerce, CMS, etc.)

  Data ownership

  Matomo’s open-source nature also means full data ownership. No third parties can access the data, and there’s no risk of Google using that data for ads or AI training. Furthermore, Matomo follows privacy-first tracking principles, meaning that there’s :

  • No third-party data sharing
  • Full user consent control
  • Support for cookie-less tracking
  • IP Anonymisation, by default
  • Do Not Track (DNT) support

  All of that underlines the fact that Matomo collects, stores, and tracks data 100% ethically.

  On-premise and cloud-based options

  You can use the Matomo On-Premise web analytics solution if local data privacy laws require that you store data locally. Here’s a helpful tip : many of them do. However, this might not be necessary. 

  Due to GDPR, several countries recognise the EEA as an acceptable storage location for their citizens’ data. That means servers hosted in any of those 30 countries are already compliant in terms of data location. 

  Alternatively, you could embrace modernity and choose Matomo Cloud — our servers are also in Europe. While GA4 and GA360 are cloud-based, Google’s servers are in the US, and that’s a big problem for GDPR.

  

  Comprehensive analytics

  If you need a sophisticated web analytics platform that offers full control of your data and you have privacy concerns, Matomo is a solid choice. 

  It has built-in behavioural analytics features like Heatmaps, Scroll Depth and Session Recording. These tools allow you to collect and analyse data without relying on cookies or resorting to data sampling.

  Those standout features can’t be found in GA4 or GA360. Google also doesn’t offer an on-premise solution.

  The one area where Matomo can’t compete with Google Analytics is in its tight integration with the Google ecosystem : Google Ads, Gemini and Firebase. 

  Key things to consider before switching to Matomo

  There are pros and cons to switching from GA4 (or even GA360) to Matomo. That’s because no software is perfect. There are always tradeoffs somewhere. With Matomo, there are a few things to consider before switching :

  • Learning curve. Matomo is a full-featured analytics platform with many advanced features (session replay, custom event tracking, etc.). That can overwhelm new users and take time to understand well enough to maximise the benefits.
  • Technical resources. Choosing a Matomo On-Premise solution requires technical resources, such as a server and skills.
  • Third-party integration. Matomo provides pre-built integration tools for about a hundred platforms. However, it’s open source, so technical resources are required. On the plus side, it does make it possible to add to the list of APIs and connectors.

  Head-to-head : GA4 vs GA360 vs Matomo

  It’s always helpful to look at how different products stack up in terms of features and capabilities :

  	GA4	GA360	Matomo
  Data ownership			✔
  Event-based data	✔	✔	✔
  Session-based data			✔
  Unsampled data			✔
  Real-time data	✔	✔	✔
  Heatmaps			✔
  Session recordings			✔
  A/B testing			✔
  Open source			✔
  On-premise hosting			✔
  Data privacy	Subject to Google’s data policies	Subject to Google’s data policies	GDPR, CCPA compliant ; full control over data storage
  Custom dimensions	Yes (limited in free version)	Yes (higher limits)	Yes (unlimited in self-hosted)
  Attribution models	Last click, data-driven	Last click, data-driven, advanced Google Ads integration	Last click, first click, linear, time decay, position-based, custom
  Data retention	Up to 14 months (free)	Up to 50 months	Unlimited (self-hosted)
  Integrations	Google Ads, Search Console, BigQuery (limited in free version)	Advanced integrations (Google Ads, BigQuery, Salesforce, etc.)	100+ integrations (Google Ads, WordPress, Shopify, etc.)
  BigQuery export	Free (limited to 1M events/day)	Free (unlimited)	Paid add-on (via plugin)
  Custom reports	Limited customisation	Advanced customisation	Fully customisable
  Scalability	Suitable for small to medium businesses	Designed for large enterprises	Scalable without limits (self-hosted or cloud)
  Ease of use	Simple, requires onboarding	Steeper learning curve	Flexible, setup-intensive.
  Pricing	Free	Premium (starts at $50,000/year)	Free open-source (self-hosted) ; Cloud starts at $29/month

  So, is Matomo the right solution for you ?

  That’d be a ‘yes’ if you want a Google Analytics alternative that ticks all these boxes :

  • Complies natively with privacy laws and regulations
  • Offers real-time data and custom event tracking
  • Enables a deeper understanding of user behaviour
  • Allows you to fine-tune user experiences
  • Provides full control over your customers’ data
  • Offers conversion funnels, session recordings and heatmaps
  • Has session replay to trace user interactions
  • Includes plenty of readily actionable insights

  Find out why millions of websites trust Matomo

  Matomo is an easy-to-use, all-in-one web analytics tool with advanced behavioural analytics functionality.

  It’ll also help you future-proof your business because it supports compliance with global privacy laws in 162 countries. With an ethical alternative like Matomo, you don’t need to risk your business or customers’ private data.

  It’s not just about avoiding fines. It’s also about building trust with your customers. That’s why you need a privacy-focused, ethical solution like Matomo. 

  See for yourself : download Matomo On-Premise today, or start your 21-day free trial of Matomo Cloud (no credit card required).

• Understanding GDPR compliance : Key principles and requirements

  28 août, par Joe

  Any company with an online presence will likely collect customers’ personal data in the normal course of business. But those with customers residing in the European Economic Area (EEA) — basically, the European Union (EU) plus Iceland, Liechtenstein and Norway — must comply with the General Data Protection Regulation (GDPR). Companies serving UK data subjects post-Brexit must also abide by the UK GDPR, which includes certain regional variations.

  GDPR authorities are only concerned with personal data (not with non-personal or anonymous data), ensuring that it’s collected, used, and stored in a way that respects users’ rights and privacy.

  Failure to comply can present serious business risks, including :

  • Financial penalties (more about that shortly)
  • Compensation claims from data subjects for mishandling their information
  • Reputational damage (if/when a data breach does occur)
  • Disruption to operations
  • Personal accountability of executives (including potential sanctions)

  This article explores the GDPR and personal data protection, the rights it confers on European data subjects, and how those rights are enforced. We’ll wrap up with an 11-step plan for GDPR compliance. 

  Let’s begin.

  The price of non-compliance

  The largest fine so far levied for GDPR non-compliance is €1.2 billion in May 2023. It was imposed by the Irish Data Protection Commission (DPC) on Meta (previously Facebook). And it was because of Meta’s transfers of EU/EEA data subjects’ personal data to the US from 16 July 2020 in breach of GDPR international data transfer rules.

  Many other fines have been levied for GDPR non-compliance, and there’ll probably be a lot more in the future :

  Penalty	Company	Supervisory Authority	Date
  €746 million	Amazon	Luxembourg National Commission for Data Protection (CNDP)	16 July 2021
  €405 million	Meta	Ireland’s Data Protection Commission (DPC)	5 September 2022
  €390 million	Meta	Ireland’s Data Protection Commission (DPC)	6 January 2023
  €345 million	TikTok	Ireland’s Data Protection Commission (DPC)	1 September 2023
  €310 million	LinkedIn	Ireland’s Data Protection Commission (DPC)	30 October 2024
  €290 million	Uber	Dutch Data Protection Authority (DPA)	26 August 2024

  Those are big numbers. European supervisory authorities take enforcement seriously

  So, what is personal data anyway ?

  GDPR defines personal data as any information about a data subject (an identified or identifiable individual). This covers both direct (name, address, ID numbers, etc.) and indirect identifiers (IP addresses, location data, etc.). It categorises personal data into two types : general and special category.

  General data includes identifiers like names, contact details, and financial information. 

  Special category data, such as racial or ethnic origin, health data, biometric information, and sexual orientation, needs more protection. 

  The processing of special category data is only allowed under certain conditions, for example, if consent was given explicitly or if vital interests (e.g., a threat to life), legal obligations, or public interest are involved. GDPR emphasises safeguarding sensitive data due to its potential impact on individuals’ privacy and rights.

  Important GDPR terminology

  Apart from the data subject, personal data, and special category data mentioned above, GDPR introduces other legal terms and concepts organisations must understand. A data controller decides what personal data to collect and how to use it. A data processor processes the data on behalf of the data controller.

  A Data Protection Officer (DPO) oversees GDPR compliance. Processing is any operation performed on data, such as collecting, analysing or storing it. That processing must also have a lawful basis, such as consent, contract, or legitimate interests. And consent must be freely given, specific, and easily withdrawable. 

  A data breach involves unauthorised access to or loss of personal data. A Data Protection Impact Assessment (DPIA) identifies risks to individuals’ rights. Data minimisation requires organisations to minimise what data they collect. Countries in the EU/EEA have appointed a supervisory authority to enforce GDPR in their territory.

  Rights of EU/EEA data subjects under GDPR 

  GDPR grants specific rights to individuals (data subjects) who are physically present in the EU/EEA when their personal data is processed, regardless of nationality or residence status. The business’s physical or legal presence is irrelevant, as the determining factor is the data subject’s location at the time of processing.

  Non-compliance can lead to significant penalties and even criminal charges in jurisdictions where such penalties are enforced under national law. 

  To support responsible data practices, the GDPR defines key foundational rights.

  Transparency

  Two rights granted to data subjects in the EU/EEA under GDPR relate to transparency :

  1. The right to be informed (proactive, applies at data collection)
  2. The right of access (reactive, applies when the data subject makes a request)

  They provide transparency by mandating that data subjects be provided specific details about that process, including :

  • Company or organisation processing the data (with contact details)
  • Reasons for using the data
  • Categories of personal data involved
  • Legal basis for processing the data
  • How long data will be stored
  • Other companies, organisations, or third parties with access to the data
  • Whether data will be transferred outside the EU/EEA

  Privacy notices should meet the standards in GDPR Articles 12–14, covering what data is collected, for what purpose, and how users can exercise their rights. 

  For a deeper dive, check out : How to write a GDPR-compliant privacy notice.

  Objections and restricted processing

  Under GDPR, individuals in the EU/EEA have the right to object to the processing of personal data in two key respects :

  1. They can object to direct marketing, after which organisations must stop processing their data immediately, with no justification required.
  2. If data is being processed on the basis of the organisation’s legitimate interests or for tasks carried out in the public interest, data subjects can object if they believe their own rights and freedoms outweigh those interests. Again, processing must stop unless the organisation proves compelling legitimate grounds outweighing the individual’s rights.

  Individuals can also request temporary restrictions on data processing when : 

  • Their data isn’t accurate (until verified).
  • Processing is unlawful, but they prefer restriction over deletion.
  • Their data is no longer being used, but must be retained for legal purposes.
  • After they object to processing while verification of legitimate grounds is pending.

  During restriction, the organisation can continue storing the data, but may not process it without explicit consent or when certain exceptions apply.

  Rectification and erasure

  Individuals have the right to rectify errors in their data and to erasure (deleting data). First, they can request corrections to inaccurate or incomplete personal data. GDPR requires organisations to act without undue delay to ensure that stored data remains accurate and up to date.

  The right to erasure (aka the right to be forgotten) enables individuals to request deletion of their personal data when :

  • It’s no longer needed for its original purpose
  • They withdraw consent, and no other legal basis exists
  • Processing is unlawful
  • They object to processing, and no overriding legitimate grounds exist
  • The data must be deleted to comply with a legal obligation

  Organisations must delete data unless exemptions (e.g., legal compliance, public interest, or legal claims) apply.

  Data portability

  GDPR provides the right to data portability. People can request their personal data in a structured, common, and machine-readable format so it’s easier to review or transfer to another service provider. This applies when data is :

  • Provided by the individual, either directly (e.g., name, email) or indirectly through use of a service (e.g., purchase history)
  • Processed based on consent or a contract
  • Handled using automated means

  Portability does not apply to personal data processed on the basis of legal obligations or legitimate interests. ItT only applies when processing is based on consent or a contract, and carried out by automated means.

  Where technically feasible, GDPR also requires organisations to facilitate direct transfers of personal data to another controller at the subject’s request.

  

  Automated decision-making and profiling

  GDPR grants EU/EEA data subjects the right not to be subject exclusively to automated decision-making, with legal or similarly significant effects, without human involvement. This applies to issues affecting them, such as job screening, loan approvals, or insurance pricing. They can :

  • Request human intervention : A real person must review the decision.
  • Express their viewpoint : Provide additional information or dispute the outcome.
  • Challenge the decision : Demand justification and correction if unfair.

  For example, imagine someone applying for a loan online, and the algorithm rejects the application based on credit history. They can request a human review to ensure fairness and consider special circumstances, such as recent debt clearance.

  However, GDPR also provides for some exceptions. Automated decisions are allowed if one of the following statements is true :

  • It’s obtained with explicit consent.
  • It’s necessary for a contract.
  • It’s permitted by law, with safeguards.

  How is GDPR enforced ?

  GDPR enforcement is carried out primarily by national supervisory authorities in each EU/EEA country. These authorities investigate complaints, conduct audits, and impose penalties for non-compliance within their jurisdictions. In cross-border cases, they collaborate through the one-stop-shop mechanism, which designates a lead authority to coordinate enforcement.

  The European Data Protection Supervisor (EDPS) is the independent data protection authority for EU institutions and agencies. It does not supervise private-sector or national public-sector organisations and is not a general enforcer of the GDPR.

  The European Data Protection Board (EDPB) is the body responsible for ensuring consistent application of the GDPR across the EU/EEA. Made up of representatives from national supervisory authorities and the EDPS, the EDPB issues guidelines, resolves disputes between authorities, and adopts binding decisions in cross-border matters.

  The origins of GDPR

  The EU’s regulation was adopted in 2016 to replace the 1995 Data Protection Directive (DPD), which predated the digital age. As technology use increased, vast amounts of personal data were collected, analysed, and stored, often without people’s knowledge, threatening their privacy and security.

  The main motivation behind GDPR was to unify the application of data protection rules across the EU/EEA through a directly applicable regulation, rather than a directive that required separate implementation by each member state. The aim was to eliminate fragmentation, ensure consistent enforcement, and strengthen individuals’ rights.

  Enter GDPR. It was agreed upon after years of negotiations between the 27 EU member states, the European Parliament, and the European Commission. It was formally adopted in 2016 and became fully enforceable on May 25, 2018. But there’s a difference. DPD was a directive that had to be implemented separately by member states. From that date, GDPR has been applied uniformly across the EU/EEA.

  The EEA adopted the GDPR on 6 July 2018 and went into force on 20 July 2018. It’s since become a global template, influencing data protection and privacy laws in countries like Brazil (LGPD), India, and Japan. The UK retained GDPR after Brexit, adapting it into the UK GDPR, which closely mirrors the EU version but allows for future divergence.

  Who does it apply to ?

  GDPR protects the personal data of individuals who reside in the EU/EEA. It applies to any organisation processing that data, no matter where it’s located in the world. This remains true even if the data is transferred outside the EU/EEA for storage and/or processing.

  Organisations are having difficulty with this regulation, as evidenced by the fines that have been meted out. Whether the penalties are paid, reduced through negotiation or still owed, their existence is a lingering uncertainty for the companies involved.

  Who must comply

  GDPR applies if you :

  • Have an office or another form of establishment in the EU/EEA, or
    
  • Offer goods/services to data subjects located in the EU/EEA (even if free) or
    
  • Monitor EU/EEA data subjects’’ behaviour (e.g., via cookies or analytics)
    

  What does GDPR require ?

  GDPR requires organisations to respect a clear set of data protection principles : lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It also obliges them to ensure that they always have a valid legal basis (consent, contract, legal obligation, legitimate interests, etc.) to process the personal data.

  Data should also not be stored longer than necessary to fulfil the specific purpose for which it was collected. Appropriate organisational measures must be taken to ensure the security and integrity of the personal data and protect it from breaches, loss, or unauthorised access. Should a reportable data breach occur, it must be reported to the relevant supervisory authority within 72 hours. Affected individuals must be informed if the breach is likely to result in a high risk to their rights.

  Organisations must also demonstrate accountability by keeping detailed records of processing activities and conducting DPIAs for high-risk processing. If their core activities involve large-scale processing of special categories of data or regular and systematic monitoring of individuals, they must appoint a DPO. 

  Finally, organisations must implement adequate safeguards when transferring data outside the EU/EEA through the GDPR Chapter V mechanism, such as adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, etc.

  By adhering to these requirements, organisations ensure compliance with GDPR and protect the data privacy and rights of EU/EEA data subjects.

  11 steps to compliance

  Once you’ve confirmed that the GDPR applies to your organisation’s processing of personal data, you can begin working toward compliance.

  Below, we’ve broken the process into eleven clear steps to help guide you.

  Step 1 : Map your data : Purpose, use and legal basis

  Any organisation operating in the EU, EEA or UK and handling personal data of data subjects in those regions must audit all the personal data it currently holds. 

  Your organisation must identify the legal basis for processing all data subject to the GDPR. If no legal basis can be found or justified, the processing will not be permitted under the GDPR.

  Step 2 : Consider appointing a DPO

  According to the GDPR text, a DPO is mandatory only under certain conditions, mainly due to processing volume and the type of organisation. But there are certain scenarios where it’s required.

  • Public authorities that process personal data as a matter of course, except for courts in their judicial capacity.
  • Organisations whose core activities involve regular and systematic monitoring of data subjects on a large scale.
  • Organisations that process specific “special” data categories (as defined by the GDPR) or data relating to criminal offences as a core activity on a large scale.

  It’s vague, and GDPR doesn’t clearly define “core activity” or “large scale”. If you are unsure whether your organisation falls into these categories, seek legal advice and err on the side of caution. Regardless, even if you are not required to appoint a DPO, it’s a good idea to appoint someone to monitor and oversee GDPR compliance efforts internally.

  Step 3 : Identify supervisory authorities

  This is generally governed by the territories in which an organisation operates. However, GDPR does make provisions for operations that cover multiple countries. In those cases, the GDPR provides a one-stop-shop mechanism to streamline oversight.

  In such cases, a lead supervisory authority (LSA) is designated. Organisations cannot freely choose their lead supervisory authority ; it depends on the location of the main establishment (Art. 56 GDPR).

  Most EEA countries have only one supervisory authority. Germany is the exception. Federal states each have their own DPA, and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit oversees federal matters. 

  Step 4 : Consider a Data Protection Impact Assessment

  GDPR requires a DPIA when processing is likely to result in a high risk to individuals’ rights and freedoms. Examples include large-scale processing of sensitive data, systematic profiling, public monitoring, or innovative technology use. A DPIA involves describing the processing, assessing necessity, identifying risks, and implementing mitigation measures.

  If the process reveals residual, unmitigated high risks, the DPIA report must be submitted to the nominated supervisory authority for consultation before the processing can proceed. Feedback can be expected within 8 weeks (extendable to 14 weeks), and the recommendations must be implemented. Conducting a DPIA is one way to ensure compliance. It also protects individuals’ rights and avoids fines for non-compliance.

  Step 5 : Establish a data breach process

  Organisations must quickly implement systems to identify and assess breaches for scope and impact. They must act immediately to contain the breach and record all the details and the actions taken.

  

  Data breaches likely to result in a risk to individuals’ rights and freedoms must be reported to the supervisory authority within 72 hours of the organisation becoming aware of the breach. If the breach is likely to result in a high risk to the individuals’ rights and freedoms, the controller has an obligation to inform the affected individuals as well. Data breach processes should also be reviewed regularly and included in staff training. 

  Here’s a simplified version :

  Simplified data breach response checklist
  𝥁	Detect and confirm the breach
  🮱	Contain and mitigate the impact
  🮱	Assess the severity and potential harm
  🮱	Document the breach
  🮱	Report the breach
  🮱	Inform affected individuals
  🮱	Review and improve
  🮱	Train staff in breach response protocols

  Step 6 : Review websites and website form security

  Websites and the forms on them are common gateways for personal data, making them a high-value target for bad actors. Ensuring these entry points are secure is essential to protecting user data and supporting GDPR’s requirements for confidentiality, integrity, and resilience (Article 32).

  Here are some key actions to take : 

  Website and form security best practices
  Use HTTPS with a valid SSL/TLS certificate	Ensure pages that collect/display personal data are served over HTTPS to encrypt data in transit and prevent interception.
  Secure all data collection forms	Validate and sanitize user input to protect against common threats, such as cross-site scripting (XSS), injection attacks, and form spam. Use security headers such as Content Security Policy (CSP) to prevent malicious script execution. Implement CAPTCHAs or other bot detection.
  Restrict access to form submissions	Store submitted data securely and restrict access to authorized personnel. Use strong passwords, enable multi-factor authentication (MFA), and apply role-based access controls (RBAC) where possible.
  Keep your website software up to date	Apply regular security patches to your CMS, plugins, and third-party libraries. Remove unused components and services that may introduce vulnerabilities.
  Monitor and test for vulnerabilities	Perform regular security scans andpenetration tests to identify risks. Monitor error logs and unusual activity, especially around form endpoints.

  Taking these proactive steps to strengthen form security and reduce breach risk will support your organization’s GDPR compliance posture..

  Step 7 : Consider age when required

  Under Article 8 of the GDPR, age verification is only required when :

  • Personal data is being processed on the basis of consent, and
  • The service is offered directly to children (i.e., an information society service provided online)
    

  In these cases, organisations must ensure the child is at least 16 years old, unless a lower age threshold has been set by national law (e.g., 13 in the UK).

  Age verification methods must be proportionate to the level of risk, aligned with the principle of data minimisation, and appropriate for the audience. Common approaches include : 

  • Self-declaration with confirmation prompts
  • Email-based parental consent mechanisms
  • Content gating or notices for services not intended for children

  More intrusive methods, such as biometric estimation, government ID upload, or video verification, should be avoided unless absolutely necessary. When justified, such methods must undergo a Data Protection Impact Assessment (DPIA) and meet the requisite necessity and proportionality standards.

  Step 8 : Implement double-opt-in for all email lists and services

  At present, Germany is the only EU country with a clear legal mandate for double opt-in under its national GDPR implementation and ePrivacy laws. While not explicitly required elsewhere in the EU and EEA, double opt-in is widely recommended as a best practice to ensure explicit consent.

  This process confirms that the user explicitly agrees while reducing opportunities for fraud and improving compliance. It also builds trust, as customers know how you’re handling their data. A clear, up-to-date privacy policy is essential to the process. It must outline how data is used and stored and how an individual’s rights can be exercised.

  For example, obtaining consent in an email marketing campaign may involve the following steps :

  1. The user signs up for a newsletter or service.
  2. They receive a confirmation email/text message with a verification link.
  3. The user clicks the link to confirm consent.

  Step 9 : Restrict international data transfers

  GDPR limits data subjects’ personal data transfer outside the European Economic Area (EEA) unless certain conditions are met.

  Such transfers are not permitted unless one of the following conditions is met :

  1. Appropriate safeguards are in place, such as :
     • Standard contractual clauses (SCCs) approved by the Commission
     • Binding corporate rules (BCRs) for multinational groups
  2. The destination country is one of the following countries that has received an adequacy decision from the European Commission.

  Countries with GDPR adequacy decisions (as of July 2025)
  Andorra	Full adequacy decision
  Argentina	Full adequacy decision
  Canada	Applies only to commercial organisations under PIPEDA
  Faroe Islands	Full adequacy decision
  Guernsey	Full adequacy decision
  Isle of Man	Full adequacy decision
  Israel	Full adequacy decision
  Japan	Adequacy with additional safeguards aligned to EU standards
  Jersey	Full adequacy decision
  New Zealand	Full adequacy decision
  Republic of Korea	Adequacy decision adopted in 2021
  Switzerland	Longstanding adequacy decision (dating back to the 2000s)
  United Kingdom	Adequacy under both GDPR and the Law Enforcement Directive (LED)
  United States	Applies only to commercial organisations certified under the EU-US Data Privacy Framework

  Major fines (like Meta’s €1.2 billion) have already been levied for unlawful data transfers. In addition, third-party service providers and data processors charged with handling EU data must also be GDPR-compliant. 

  If personal data is processed by a third party outside the EEA, organisations must verify that contractual safeguards comply with GDPR Article 28. These processor management safeguards cover :
  

  • Contractual – Defines what the processor is permitted to do with personal data
  • Security – Specifies technical and organisational safeguards to protect data
  • Breach notifications – Requires processors to report breaches in a timely manner
  • Sub-processor oversight – Grants approval rights over any sub-processors
  • End-of-service handling – Ensures return or proper disposal of personal data at contract end
  • Audit rights – Allows controllers to audit processor compliance if needed

  Step 10 : Record of Processing Activities (ROPA)

  GDPR obliges both data controllers and data processors to maintain a Record of Processing Activities (ROPA). This processing register details how and why personal data is processed, and it must include the following : 

  • Name and contact details (and DPO, if applicable)
  • Processing purposes (marketing, HR, customer service, etc.)
  • Data categories (names, emails, financial data, etc.)
  • Data subject categories (customers, employees)
  • Transfers outside the EEA (legal basis, safeguards like SCCs, etc.)
  • Retention periods for each data category
  • Security measures (encryption, access controls, etc.).

  For data controllers, the ROPA must also include the names and details of any people who receive personal data, such as services or processors. The register should also map the flow of data through the organisation (and any third parties), which is needed for audits or analysing a data breach.

  An effective ROPA depends on strong data governance. Clearly-defined processes, ongoing training, and regular reviews are necessary to keep internal policies aligned with how personal data is actually handled in practice.

  Maintaining a ROPA also supports GDPR’s accountability principle : organisations must be able to show compliance, not just claim it. Documented policies, audits, and training records provide the evidence needed to demonstrate this.

  Step 11 : Data subject rights management

  Organisations that collect, store, analyse, or process the personal data of EEA data subjects must regularly advise customers of their rights under GDPR. In particular, they must remind data subjects of their right to submit a Data Subject Access Request (DSAR) and respond promptly to DSARs from individuals requesting access to their personal data.

  Among other things, EEA data subjects may request :

  • Confirmation that their data is being processed
  • A copy of their data
  • Information about how and why their data is being processed
  • The purposes of processing
  • Categories of personal data involved
  • Recipients or categories of recipients who receive the data
  • Data retention periods or criteria used to determine them
  • The data source (if not collected directly from the individual)

  DSARs can be refused if they’re manifestly unfounded or excessive or if providing the data would adversely affect the rights of others. But it’s advisable to use that as a last resort.

  GDPR compliance in practice

  GDPR compliance isn’t automatic — not even with privacy-focused tools like Matomo or reconfigured platforms like Google Analytics 4. 

  Regardless of which analytics solution you use, data protection laws like GDPR and the ePrivacy Directive require organisations to : 

  • Track only occurs when lawful, and with valid user consent when required.
  • Configure privacy settings to comply with the GDPR.
  • Only collect data that is proportionate, transparent, and serves a legitimate, disclosed purpose.

  Even the best tools can fail if they aren’t used properly. That’s why governance, intentional setup, and consistent consent management are necessary parts of compliance.

  Matomo offers secure, privacy-focused GDPR analytics. It includes a built-in GDPR Manager and privacy centre to fine-tune your privacy settings.

  To get started with Matomo, you can sign up for a 21-day free trial — no credit card required. 

• First-party data explained : Benefits, use cases and best practices

  25 juillet, par Joe

  Third-party cookies are being phased out, and marketers who still depend on them for user insights need to find alternatives.

  Google delayed the complete deprecation of third-party cookies until early 2025, but many other browsers, such as Mozilla, Brave, and Safari, have already put a stop to them. Plus, looking at the number of data leak incidents, like the one where Twitter leaked 200 million user emails, collecting and using first-party data is a great alternative. 

  In this post, we explore the ins and outs of first-party data and examine how to collect it. We’ll also look at various use cases and best practices to implement first-party data collection.

  What is first-party data ?

  First-party data is information organisations collect directly from customers through their owned channels. 

  Organisations can capture data without intermediaries when people interact with their website, mobile app, social media accounts or other customer-facing systems.

  For example, businesses can track visitor behaviour, such as bounce rates and time spent browsing particular pages. This activity is considered first-party data when it occurs on the brand’s digital property.

  Some examples include :

  • Demographics : Age, gender, location, income level
  • Contact information : Email addresses, phone numbers
  • Behavioural insights : Topics of interest, content engagement, browsing history
  • Transactional data : Purchase history, shopping preferences

  A defining characteristic is that this information comes straight from the source, with the customer’s willingness and consent. This direct collection method is why first-party data is widely regarded as more reliable and accurate than second or third-party data. With browsers like Chrome fully phasing out third-party cookies by the end of 2025, the urgency for adopting more first-party data strategies is accelerating across industries.

  How to collect first-party data 

  Organisations can collect first-party data in various ways. 

  Website pixels

  In this method, organisations place small pieces of code that track visitor actions like page views, clicks and conversions. When visitors land on the page, the pixel activates and collects data about their behaviour without interrupting the user experience. 

  Website analytics tools

  With major browsers like Safari and Firefox already blocking third-party cookies (and Chrome is phasing them out soon, there’s even more pressure on organisations to adopt first-party data strategies.

  Website analytics tools like Matomo help organisations collect first-party data with features like visitor tracking and acquisition analysis to analyse the best channels to attract more users. 

  Multi-attribution modelling that helps businesses understand how different touchpoints (social media channels or landing pages) persuade visitors to take a desired action (like making a purchase). 

  

  (Image Source)

  Other activities include :

  • Cohort analysis 
  • Heatmaps and session recordings 
  • SEO keyword tracking
  • A/B testing 
  • Paid ads performance tracking

  

  Heatmap feature in Matomo

  Account creation on websites

  When visitors register on websites, they provide information like names, email addresses and often demographic details or preferences.

  Newsletters and subscriptions 

  With email subscriptions and membership programs, businesses can collect explicit data (preferences selected during signup) and implicit data (engagement metrics like open rates and click patterns).

  Gated content

  Whitepapers, webinars or exclusive articles often ask for contact information when users want access. This approach targets specific audience segments interested in particular topics.

  Customer Relationship Management (CRM) systems

  CRM platforms collect information from various touchpoints and centralise it to create unified customer profiles. These profiles include detailed user information, like interaction history, purchase records, service inquiries and communication preferences.

  Mobile app activity

  Mobile in-app behaviours can assist businesses in gathering data such as :

  • Precise location information (indicating where customers interact with the app)
  • Which features they use most often
  • How long they stay on different screens
  • Navigation patterns

  This mobile-specific data helps organisations understand how their customers behave on smaller screens and while on the move, insights that website data alone cannot provide.

  Point of Sale (PoS) systems

  Modern checkout systems don’t just process payments. PepsiCo proved this by growing its first-party data stores by more than 50% through integrated PoS systems. 

  Today’s PoS technology captures detailed information about each transaction :

  • Item(s) sold
  • Price (discounts, taxes, tip)
  • Payment type (card, cash, digital wallet)
  • Time and date
  • Loyalty/rewards number
  • Store/location

  Plus, when connected with loyalty programs where customers identify themselves (by scanning a card or entering a phone number), these systems link purchase information to individuals. 

  This creates valuable historical records showing how customer preferences evolve and offering insight into :

  • Which products are frequently purchased together
  • The time of the day, week, month, or year when items sell best
  • Which promotions or special offers are most effective

  Server-side tracking 

  Most websites track user behaviour through code that runs in the visitor’s web browser (client-side tracking). 

  Server-side tracking takes a different approach by collecting data directly on the company’s own servers. 

  Because the tracking happens on company servers rather than browsers, ad-blocking software doesn’t block it. 

  Organisations gain more consistent data collection and greater control over their customer information. This privacy-friendly approach lets companies get the data they need without relying on third-party tracking scripts.

  Now that we understand how organisations can gather first-party data, let us explore its use cases. 

  Use cases of first-party data 

  Businesses can use first-party data in many ways, from creating customer profiles to personalising user experiences.

  Developing comprehensive customer profiles

  First-party data can help create detailed customer profiles. 

  Here are some examples :

  • Demographic profiles : Age, gender, location, job role and other personal characteristics.
  • Behavioural profiles : Website activity, purchase history and engagement with marketing campaigns that focus on how users interact with businesses and their offerings. 
  • Psychographic profiles : Customer’s interests, values and lifestyle preferences.
  • Transactional profiles : Purchase patterns, including the types of products they buy, how often they purchase and their total spending.

  The benefit of developing these profiles is that businesses can then create specific campaigns for each profile, instead of running random campaigns. 

  For example, a subscription service business may have a behavioural profile of ‘inactive users’. To reignite interest, they can offer discounts or limited-time freebies to these users.

  Crafting relevant content

  First-party data shows what types of content customers engage with most. 

  If customers love watching videos, businesses can create more video content. If a blog gets more readership for its tech articles, it can focus on tech-related content to adjust to readers’ preferences. 

  Uncovering new marketing opportunities

  First-party data lets businesses analyse customer interactions in a way that can reveal untapped markets. 

  For example, if a company sees that many website visitors are from a particular region, it might consider launching campaigns in that area to boost sales. 

  Personalising experiences

  89% of decision-makers believe personalisation is key to business success in the next three years. 

  First-party data helps organisations to tailor experiences based on individual preferences. 

  

  For example, an e-commerce site can recommend products based on previous purchases or browsing history. Shoppers with abandoned carts can get reminders. 

  It’s also helpful to see how customers respond to different types of communication. Certain groups may prefer emails, and some may prefer text messages. Similarly, some users spend more time on quizzes and interactive content like wizards or calculators. 

  By analysing this, businesses can adjust their strategies so that users get a personal experience when they visit a website.

  Optimising operations

  The use cases of first-party data don’t just apply to the marketing domain. They’re also valuable for operations. When businesses analyse customer order patterns, they can spot the best locations for fulfilment centres that reduce shipping time and costs.

  For example, an online retailer might discover that most customers are concentrated in urban areas and decide to open fulfilment centres closer to those locations.

  Or, in the public sector, transport companies can use first-party data to optimise routes and fine-tune fare simulation tools. By analysing rider queries, travel preferences and interaction data, they can :

  • Prioritise high-demand routes during peak hours 
  • Adjust fare structures to reflect common trip or rider patterns
  • Make personalised travel suggestions based on individual user history.

  Benefits of first-party data 

  First-party data offers two significant benefits : accuracy and compliance. It comes directly from the customers and can be considered more accurate and reliable. But that’s not it. 

  First-party data aligns with many data privacy regulations, like the GDPR and CCPA. That’s because first-party data collection requires explicit consent, which means the data remains confidential. This builds compliance, and customers develop more trust in the business.

  Best practices to collect and manage first-party data 

  Though first-party data comes with many benefits, how should organisations collect and manage it ? What are the best practices ? Let’s take a look. 

  Define clear goals

  Though defining clear goals seems like overused advice, it’s one of the most important. If a business doesn’t know why it’s collecting first-party data, all the information gathering becomes purposeless. 

  Businesses can think of different goals to achieve from first-party data collection : improving customer relationships, enhancing personalisation or increasing ROI. 

  Once these goals are concrete, they can guide data collection strategies and help understand whether they’re working.

  Establish a privacy policy

  A privacy policy is a document that explains why a business is collecting a user’s data and what it will do with it. By being open and honest, this policy builds trust with customers, so customers feel safe sharing their information. 

  For example, an e-commerce privacy policy may read like : 

  “At (Business name), your privacy is important to us. We collect your information when you create an account or buy something. This information includes your name, email and purchase history. We use this data to give you a better shopping experience and suggest products that you’ll find useful. We follow all data privacy laws like GDPR to keep your personal information safe.” 

  For organisations that use Matomo, we suggest updating the privacy policy to explain how Matomo is used and what data it collects. Here’s a privacy policy template for Matomo users that can be easily copied and pasted. 

  For a GDPR compatible privacy policy, read How to complete your privacy policy with Matomo analytics under GDPR.

  Simplify consent processes

  Businesses should obtain explicit user consent before collecting their data, as shown in the image below. 

  

  (Image Source) 

  To do this, integrate user-friendly consent management platforms that let customers easily access, view, opt out of, or delete their information.

  To ensure consent practices align with GDPR standards, follow these key steps :
  

  GDPR-compliant consent checklist
  ✅ State the purpose clearly	Describe data usage in plain terms.
  ✅ Use granular opt-ins	Separate consents by purpose.
  ✅ Avoid pre-ticked boxes	Active choices only.
  ✅ Enable easy opt-out	Simple and accessible withdrawal.
  ✅ Log consent	Timestamp and record every opt-in.
  ✅ Review periodically	Audit for accuracy and relevance.

  Comply with platform-specific restrictions

  In addition to general consent practices, businesses must comply with platform-specific restrictions. This includes obtaining explicit permissions for :

  • Location services : Users must consent to sharing their location data.
  • Contact lists : Businesses need permission to access and use contact information.
  • Camera and microphone Use : Users must consent to using the camera and microphone 
  • Advertising IDs : On platforms like iOS, businesses must obtain consent to use advertising IDs. 

  For example, Zoom asks the user if it can access the camera and the microphone by default.

  Utilise multiple data collection channels

  Instead of relying on just one source to collect first-party data, it is better to use multiple channels. Gather first-party data from diverse sources such as websites, mobile apps, CRM systems, email campaigns, and in-store interactions (for richer datasets). This way, businesses get a more complete picture of their customers.

  Implementing a strong data governance framework with proper tooling, taxonomy, and maintenance practices is also vital for better data usability.

  Use privacy-focused analytics tools 

  Focus on not just collecting data but also doing it in a way that’s secure and ethical. 

  Use tools like Matomo to track user interactions and gather meaningful analytics. For example, Matomo heatmaps can give you a visual insight into where users click and scroll, all while following all the data privacy laws.

  

  (Image Source) 

  What is second-party data ? 

  Second-party data is information that one company collects from its customers and shares with another company. It’s like “second-hand” first-party data because it’s collected directly from customers but used by a different business.

  Companies purchase second-party data from trusted partners instead of getting it directly from the customer. For example, hotel chains can use customer insights from online travel agencies, like popular destinations and average stay lengths, to refine their pricing strategies and offer more relevant perks.

  When using second-party data, it’s essential to :

  • Be transparent : Share with customers that their data is being shared with partners. 
  • Conduct regular audits : Ensure the data is accurate and handled properly to maintain strong privacy standards. If their data standards don’t seem that great, consider looking elsewhere.

  What is third-party data ? 

  Third-party data is collected from various sources, such as public records, social media or other online platforms. It’s then aggregated and sold to businesses. Organisations get third-party data from data brokers, aggregators and data exchanges or marketplaces. 

  Some examples of third-party data include life events from user social media profiles, like graduation or facts about different organisations, like the number of employees and revenue.

  For example, a data broker might collect information about people’s interests from social media and sell it to a company that wants to target ads based on those interests.

  Third-party data often raises privacy concerns due to its collection methods. One major issue is the lack of transparency in how this data is obtained. 

  Consumers often don’t know that their information is being collected and sold by third-party brokers, leading to feelings of mistrust and violation of privacy. This is why data privacy guidelines have evolved. 

  What is zero-party data ? 

  Zero-party data is the information that customers intentionally share with a business. Some examples include surveys, product ratings and reviews, social media polls and giveaways.

  Organisations collect first-party data by observing user behaviours, but zero-party data is the information that customers voluntarily provide. 

  

  Zero-party data can provide helpful insights, but self-reported information isn’t always accurate. People don’t always do what they say. 

  For example, customers in a survey may share that they consider quality above all else when purchasing. Still, looking at their actual behaviour, businesses can see that they make a purchase only when there’s a clearance or a sale.

  First-party data can give a broader view of customer behaviours over time, which zero-party data may not always be able to capture. 

  Therefore, while zero-party data offers insights into what customers say they want, first-party data helps understand how they behave in real-world scenarios. Balancing both data types can lead to a deeper understanding of customer needs.

  Getting valuable customer insights without compromising privacy 

  Matomo is a powerful tool for organisations that want to collect first-party data. We’re a full-featured web analytics tool that offers features that allow businesses to track user interactions without compromising the user’s personal information. Below, we share how.

  Data ownership

  Matomo allows organisations to own their analytics data, whether on-premise or in their chosen cloud. This means we don’t share your data with anyone else. This aligns with GDPR’s requirement for data sovereignty and minimises third-party risks.

  Pseudonymisation of user IDs

  Matomo allows organisations to pseudonymise user IDs, replacing them with a salted hash function. 

  

  (Image Source)

  Since the user IDs have different names, no one can trace them back to a specific person.

  IP address anonymisation

  Data anonymisation refers to removing personally identifiable information (PII) from datasets so individuals can’t be readily identified.

  Matomo automatically anonymises visitor IP addresses, which helps respect user privacy. For example, if the visitor’s IP address is 199.513.1001.123, Matomo can mask it to 199.0.0.0. 

  It can also anonymise geo-location information, such as country, region and city, ensuring this data doesn’t directly identify users.

  

  (Image Source) 

  Consent management

  Matomo offers an opt-out option that organisations can add to their website, privacy policy or legal page. 

  Matomo tracks everyone by default, but visitors can opt out by clicking the opt-out checkbox. 

  Our DoNotTrack technology helps businesses respect user choices to opt out of tracking from specific websites, such as social media or advertising platforms. They can simply select the “Support Do Not Track preference.”

  These help create consent workflows and support audit trails for regulators. 

  Data storage and deletion

  Keeping visitor data only as long as necessary is a good practice by default. 

  To adhere to this principle, organisations can configure Matomo to automatically delete old raw data and old aggregated report data. 

  Here’s a quick case study summarising how Matomo features can help organisations collect first-party data. CRO:NYX found that Google Analytics struggled to capture accurate data from their campaigns, especially when running ads on the Brave browser, which blocks third-party cookies.

  They then switched to Matomo, which uses first-party cookies by default. This approach allowed them to capture accurate data from Brave users without putting user privacy at stake. 

  The value of Matomo in first-party data strategies 

  First-party data gives businesses a reliable way to connect with audiences and to improve marketing strategies. 

  Matomo’s ethical web analytics lets organisations collect and analyse this data while prioritising user privacy. 

  With over 1 million websites using Matomo, it’s a trusted choice for organisations of all sizes. As a cloud-hosted service and a fully self-hosted solution, Matomo supports organisations with strong data sovereignty needs, allowing them to maintain full control over their analytics infrastructure.

  Ready to collect first-party data while securing user information ? Start your free 21-day trial, no credit card required.